Industry Committee on Nov. 30th, 2023

No.

I think it's already a good start for businesses, and that, incidentally, is why I'm here.

I know that the sharing of bank information isn't necessarily the main subject matter of Bill C-27, but I think the bill lays the foundation for the legislative framework promised in the fall economic update. It's currently the closest thing to something that enables data sharing and portability.

I also think you should establish stricter terms and conditions and insert them in a regulatory division following from Bill C-27 or in a future bill directly concerning an open banking system.

Are you asking that question with respect to artificial intelligence?

It's actually important to understand that the consumer banking system has a virtually global presence. Canada is one of the last countries where there is no right to data portability. Many countries that are very close to us in the Commonwealth, such as Great Britain and Australia, as well as the entire European Union and certain Asian countries, have that kind of system, and we can already see how easy interoperability is among those countries.

I think it's time for Canada to step into the modern world and grant Canadians the right to portability. As for interoperability, I'd say it's not very complex. The rules are quite similar.

I'll refrain from commenting on artificial intelligence because I'm not an expert in that field. It's an extremely complex subject. I think everyone's trying to understand this, including the president of OpenAI, who was fired and then rehired. So I'll refrain from commenting on the subject in the context of a piece of general legislation.

Absolutely. That's why we're very pleased that Bill C-27 was introduced. Our business currently operates in a system that lies in a kind of grey area and that hasn't been extensively legislated. We've been asking the federal government to intervene on behalf of consumers for a very long time now.

You mention pop-up windows. From our viewpoint, it's much more precise than that and more highly regulated. If you have an online app to do your accounting or manage your retirement or investments, you will have to give consent. We want that consent to be adequately protected and renewed as well.

Although our case is a bit different from anything involving cookie files and pop-up windows, we want regulations to be added that give consumers the power to consent to their data being shared and that guarantee them adequate protection. Let's be honest: there are two taboos in society, and they are our finances and our personal information. Here we're combining the two.

So, to sum up, it's important to have adequate protection, and, as far as we're concerned, just as important that consent have to be given. For all the systems and authorities I mentioned earlier, businesses should be responsible for getting consent.

We're very pleased with the content of the bill because it will create a legislative framework that's safe and therefore more effective for consumers. That will also enable our business to grow in an environment that's secure and stable.

Consent is indeed one of the methods for protecting consumers. It's the method that has mainly been used in this bill. Something else could have been chosen, and other protection standards could have been added, but what we still have here is legislation that hinges on consent. Consent can be a method that operates to protect consumers in the digital environment and enables them to control their information, provided that consent is effective and can genuinely be useful to consumers.

Bill C-27 poses a problem with regard to related exceptions to the requirement of consent. We feel that those exceptions are too broad. The exception that concerns us most is the one provided under clause 18, for the purpose of business activities and legitimate interest. This is an exception that we consider too broad. We find it hard to understand how it can be consistent with the implicit consent that already exists. We therefore suggest deleting clause 18, which would allow businesses too much leeway to use consumers' information without their consent.

You also mentioned pop-up windows at the start of your question. It seems to me you're referring to the concept of consent fatigue, which occurs as a result of being constantly asked to give your consent. People are bombarded with demands and requests for consent, and we're aware of this concern about consent fatigue.

We think that businesses should show some creativity. The bill should also offer effective solutions enabling consumers to express a blanket refusal to be tracked online. When we go onto various websites, mobile apps and tech company platforms, our privacy and data are permanently captured for those businesses to use for commercial and other purposes. The current method is to have us consent singly to each business when pop-up windows appear.

The solution we suggest in our brief is that we instead create mechanisms enabling consumers to state a blanket refusal to allow their browsing data or other personal information to be transmitted to any companies with which they do business. This is what we call the "do not track" mechanism, which is already available in web browsers but isn't recognized by businesses. We propose that businesses be required to recognize this kind of signal or parameter that, with one click, enables people to send a blanket refusal to provide their personal information. This would put an end to the consent fatigue we all dislike.

That's a very good question. It could be included in the clause on consent. I can't remember the exact clause, but one of them provides that consent must be implied. You could word it so that consumers may indicate a general refusal to share their information, which could target certain types of information such as a person's browsing data or usage data from a person's digital devices.

Consumers could indicate their refusal through an interface or some technology, and businesses would have to honour that refusal. It might not be that technically difficult to integrate because web browsers already have these kinds of parameters. It would simply be a matter of compelling businesses to honour consumers' wishes.

Technically speaking, no one in Canada currently owns his or her financial data. You deal with the bank, and you have an online account and probably a checking account and a mortgage. All that generates data, including basic information such as your address. Currently, if someone wants to purchase another financial product offered by another bank, that individual's bank may refuse to pass on the customer's financial information because the customer doesn't own it.

I'm going to give you a brief history of the right to data portability. It wasn't invented by the private sector or technology companies. It's actually the result of a legislative proposal made in the United Kingdom by Competition & Markets Authority following the 2009 financial crisis. CMA claimed that the banks hadn't championed the rights of consumers and that there was an excessive concentration in that sector.

In its report, entitled "Making banks work harder for you", CMA stated that the right to portability was the solution. In other words, consumers should be granted the right to take their financial data and do business with the institution of their choice, which would enable them, for example, to compare mortgage rates, various investments and different percentages and interest rates in effect for checking and other accounts.

The policy snowballed. As I said, most OECD countries and, I believe, the 70 largest economies now acknowledge the right to data portability. Australia has been a little more ambitious: it uses data portability in other sectors, such as telecommunications and energy.

Does that answer your question?

I'll be brief. The risks are enormous, and the reason for using those tools seems debatable to me.

For the moment, based on the information that has come out, the reason why those tools were used isn't very clear. Furthermore, I believe that a government should be irreproachable, since the bill requires businesses to conduct privacy impact analyses and to show that their practices are exemplary.

I don't need to provide any details, but those tools are used to monitor activists and journalists. People have gone to prison or died as a result of those kinds of tools, which are also used in certain totalitarian countries and countries that monitor political opponents. I think those revelations should be subject to an in-depth analysis and investigation.

I think you should add a clause providing that those surveillance tools definitely not be used to collect data for which consent has been obtained from the persons concerned. That clause should focus specifically on how those surveillance tools should be controlled and ensure that the use of those kinds of tools is subject to significant guardrails.

I imagine there could be strict national-security exceptions. However, from what I understand about the revelations, many departments use those tools in situations that have nothing to do with national security. Consequently, I think it's necessary that you add a specific clause framing the options for using those tools and impose guardrails, in addition to significant judicial control.